Windows Startup Item Database

HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

Page

Key:

"Y" - Normally leave to run at start-up
"N" - Not required - typically infrequently used tasks that can be started manually if necessary
"U" - User's choice - depends whether a user deems it necessary
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
"?" - Unknown

	Startup Name	Process Name	Details
X		system32.exe	"Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field"
X		pathex.exe	"Added by the MKMOOSE-A WORM!"
X		svchost.exe	"Added by the DELF-UX TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder"
X		MSPF.EXE	"Added by a variant of the SDBOT WORM!"

	Note - not be mistaken for the MSN Messenger file of the same name!"
	Note the filename has a ""0"" rather than an upper case ""o"""
Y	!1_pgaccount	pgaccount.exe	"DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background
Y	!1_ProcessGuard_Startup	procguard.exe	"DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background
U	!AVG Anti-Spyware	avgas.exe	"Part of AVG Anti-Spyware from Grisoft"
U	!ewido	ewido.exe	"Part of Ewido anti-spyware"
N	!NoLoad	winrecon.exe	"WinRecon keystroke logger/monitoring program - remove unless you installed it yourself!"
main dri	"	X	wininfo.exe
Consume	"Consumer Input Rewarded with MyPoints	U	"ConsumerInputRewardedwithMyPoints
Consume	"Consumer Input Rewarded with MyPoints	U	"ConsumerInputRewardedwithMyPoints
Inc."	"Microsoft Associates	X	iexplorer.exe
Inc."	"Microsoft NetMeeting Associates	X	NetMeeting.exe
Inc."	"Miramar Systems	U	atmsg.exe
ME & XP	"MS Java Applets for Windows NT	U	javaapplets.exe
NT	"Ms Java for Windows 98	ME & XP"	X
NT	"Ms Java for Windows 98	XP & ME"	X
XP & ME	"MS Java for Windows NT	X	xpjavams.exe
Mass"	"Telechips	U	patch.exe
please	"This is a virus	X	bigbadvirus.exe
X	"Vaganza-XPloit-[User Name]"""	[user name].exe	"Added by the GAVGENT.A WORM!"
"	"[Ephemeral 2.5] by TreeHugger	X	[path to worm]
"	"[Ephemeral 2.x] by TreeHugger	X	[path to worm]
?	$EnterNet	Enternet.exe	"Connection manager for the EnterNet ISP. You can also use RASPPOE"
X	$sys$cmp	$sys$xp.exe	"Added by the RYKNOS.B TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer"
X	$sys$crash	$sys$sonyTimer.exe	"Added by the WELOMOCH TROJAN!"
X	$sys$crash	$sys$sos$sys$.exe	"Added by the WELOMOCH TROJAN!"
X	$sys$crash	$sys$WeLoveMcCOL.exe	"Added by the WELOMOCH TROJAN!"
X	$sys$drv	$sys$drv.exe	"Added by the RYKNOS TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer"
X	$sys$momomomochin	$sys$sonyTimer.exe	"Added by the WELOMOCH TROJAN!"
X	$sys$momomomochin	$sys$sos$sys$.exe	"Added by the WELOMOCH TROJAN!"
X	$sys$momomomochin	$sys$WeLoveMcCOL.exe	"Added by the WELOMOCH TROJAN!"
X	$sys$umaiyo	$sys$sonyTimer.exe	"Added by the WELOMOCH TROJAN!"
X	$sys$umaiyo	$sys$sos$sys$.exe	"Added by the WELOMOCH TROJAN!"
X	$sys$umaiyo	$sys$WeLoveMcCOL.exe	"Added by the WELOMOCH TROJAN!"
U	$Volumouse$	volumouse.exe	"Volumouse from Nirsoft. ""Provides you a quick and easy way to control the sound volume on your system - simply by rolling the wheel of your wheel mouse"""
X	$WindowsRegKey%update	IEXPLORE.EXE	"Added by the RBOT-EZ WORM! Note - this is not the legitimate Internet Explorer iexplore.exe process which is always located in the Program FilesInternet Explorer folder and should not normally figure in Msconfig/Startup! This file is located in the System (9x/Me) or System32 (NT/2K/XP) folder"
N	%cmpmixtitle%	%cmpmixstr%	"Possibly related to C-Media Mixer Control panel?"
N	%FP%012-L2TP fts.exe	fts.exe	012.Net.il Israeli ISP software front-end
U	%FP%012-L2TP FWPortal.exe	FWPortal.exe	012.Net.il Israeli ISP dial-up software
N	%FP%1776 Internet fts.exe	fts.exe	1776 Internet US ISP software ISP software front-end
U	%FP%1776 Internet FWPortal.exe	FWPortal.exe	1776 Internet US ISP dial-up software
N	%FP%Barak013 fts.exe	fts.exe	Barak013 Israeli ISP software front-end
U	%FP%Barak013 FWPortal.exe	FWPortal.exe	Barak013 Israeli ISP dial-up software
N	%FP%Friendly fts.exe	fts.exe	Friendly ISP software front-end
X	(*)API Machine	winSOCKS.exe	"Homepage hijacker
X	(*)Run	win32API.exe	"Homepage hijacker
X	(default)	[random filename].exe	"Added by the BLACKMAL WORM!"
X	(default)	rundll32.exe [path] Zykheptd.dll	"Added by the HESIVE.B TROJAN!"
X	(L4r1$$4) (4nt1) (V1ruz)	SP00Lsv32.pif	"Added by the ASSIRAL.B WORM!"
U	)Start Service	upssrv.exe	"Cyber Power PowerPanelPlus software. ""In the event of a power outage
X	*JanisRuckenbrodII	janis.com	"Added by the POPS WORM!"
X	*Microsoft Update	ctxma.exe	"Added by the STMU TROJAN!"
X	*Microsoft Update	cxma.exe	"Added by the STMU TROJAN!"
X	*Microsoft Update	wstcl.exe	"Added by the STMU TROJAN!"
X	*Microsoft Update	wucxt.exe	"Added by the STMU TROJAN!"
X	*Microsoft Update	wuytc.exe	"Added by the STMU TROJAN!"
X	*MS Setup	[random filename]	"Virtumondo adware
X	*Security Center	secctr.exe	"Added by the SDBOT.BRO WORM!"
Y	*StateMgr	statemgr.exe	Windows ME default for System Restore. Do NOT disable!
X	*windows update	wrauclt.exe	"Added by the RBOT-QU WORM!"
X	*windows update	wuanclt.exe	"Added by the RBOT-PG WORM!"
X	*windows update	wuaucrlt.exe	"Added by the SPYBOT.HUR WORM!"
X	*windows update	wuraclt.exe	"Added by the RBOT-PO WORM!"
X	*windows update	wurauclt.exe	"Added by the RBOT-SY WORM!"
X	*windows update	wsctl.exe	"Added by the SPYBOT.PR WORM!"
X	*windows update	wkmst.exe	"Added by the SDBOT.AVD WORM!"
X	*windows update	wscxt.exe	"Added by the RBOT.AOS WORM!"
X	*windows update	waurclt.exe	"Added by a variant of the RBOT WORM!"
X	*Windows [filename] Checker	[filename]	"Added by the KEDEBE-B WORM!"
X	*WindowsAudio	systemupd.exe	"Added by the AGENT-TH WORM!"
X	*WinLogon	[trojan path] ren time:[random number]	"Added by the VUNDO TROJAN!"
X	*winstats	winstats.exe	"Added by the GARGAFX TROJAN!"
X	*wuauclt.exe	w***.exe [ = random char]	"Added by a variant of the RBOT-UG WORM! Note - * in the filename represents a random char; variants spotted: wxmct.exe
X	.mscdr	lassa.exe	"Added by the WEBUS.C TROJAN!"
X	.mscdr	lsvchost.exe	"Added by the WEBUS.D TROJAN!"
X	.mscdsr	lsvchost.exe	"Added by the CR TROJAN!"
X	.mscsbl	svhost.exe	"Added by the CMQ TROJAN!"
X	.msfupdate	msveup.exe	"Added by the ALLOCUP.A WORM!"
X	.mssecure	mssecure.exe	"Added by the DDOS_BOXED.X TROJAN!"
?	.NET config	sysmon32.exe	"??"
X	.norton	rchost.exe	"Added by a variant of the BOXED-A TROJAN!"
X	.nvsvc	smss.exe	"Added by the IRCBOT-FP TROJAN! Note - this is not the legitimate smss.exe process which should not normally figure in Msconfig/Startup!"
X	.Prog	services.exe	"Added by the NEVEG.B or NEVEG.C WORMS! Note - this is not the legitimate services.exe process
X	.Prog	winlogon.exe	"Added by the NEVEG.A WORM! Note - this is not the legitimate winlogon.exe process
X	.protected	N/A	"Smithfraud variant"
X	.svchost	CSRSS.EXE	"Added by the WEBUS.F TROJAN! Note - this is not the legitimate csrss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the System folder"
X	.TEXTCONV	csrss.exe	"Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process
X	.TEXTCONV	lsass.exe	"Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the System folder"
X	.WMAudio	csrss.exe	"Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process
X	.WMAudio	lsass.exe	"Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the System folder"
N	/l:eng	N/A	"Related to the Dell OEM version of the Sound Blaster Audigy 2 sound card. If this item is listed and checked in startup
U	000	pit.exe	"Added by the PrivateEye surveillance software! Note - If you did not intentionally install this remove it"
X	000hpdllhos	hpdllhost.exe	"LZIO.com adware downloader"
U	000StTHK	000StTHK.exe	"Toshiba Hot key functionality for the function keys (Fn-Esc
X	0050726-007-i32-1	0050726-007-i32-1.exe	"Added by the BANCBAN-EC TROJAN!"
?	00DSKSVR00	desksaver.exe	"Related to Advanced Desktop Shield"
?	00DSKSVR01	desksaver.exe	"Related to Advanced Desktop Shield"
U	00THotkey	00THotKey.exe	"For Toshiba Satellite notebook series to use the front buttons
U	0190 Warner	WARN0190.EXE	"Anti-dialer program (Germany)"
U	0900 Warner	WARN0900.EXE	"Anti-dialer program (Germany)"
X	0mcamcap	0mcamcap.exe	"Added by the COSIAM-H TROJAN!"
X	0utlook Express	****.exe [ = random char]	"Added by the RBOT-CC WORM! Note the first letter is actually the digit ""0"" and not a capital ""o"""
X	1	1.exe	"Added by the ESTEEMS TROJAN!"
X	1	lsass.scr	"Added by the BANCOS.V TROJAN!"
X	1	svchost.scr	"Added by the BANCOS.X TROJAN!"
X	1111swapmgr.exe	1111swapmgr.exe	"Added by the IC TROJAN!"
X	123456	"rundll32.exe shell32.dll	Control_RunDLL ...123456.cpl"
U	12Ghosts Popup-Killer	12popup.exe	"12Ghosts Popup-Killer"
?	17779Proj2002	N/A	"??"
X	180adsolution	180adsolution.exe	"NCase adware"
X	180ax	180ax.exe	"NCase adware"
X	180ClientStubInstall	stubinstaller***.exe [ = digit]	"180Solutions adware related"
X	180ClientStubInstall	[path to trojan]	"180Solutions adware related"
X	180ClientStubInstall	*****.tmp [ = random digit/char]	"180Solutions adware related"
X	196_150_ni	196_150_ni.exe	"WinFixer web installer. Winfixer is ""Foistware""
X	197_150_ni_3	197_150_ni_3.exe	"WinFixer web installer. Winfixer is ""Foistware""
N	1:	hpdrv.exe	HP utility for monitoring when and how many recoveries have been done
N	1A:MacVisionTrayMonitor	TrayMonitor.exe	Comes with the MacVision program for monitoring tray icons (Note : program is by Stardock)
Y	1A:Stardock MCP	mcpserver.exe	"Master Control Program for Stardock apps
Y	1A:Stardock TrayMonitor	TrayServer.exe	For monitoring tray icons - if disabled icons will not be displayed in ObjectBar or DesktopX
?	1CmailS	NETMAIL.EXE	"??"
X	1on1	1on1.exe	Adult content dialler
U	1Srv32	SpyAgent4.exe	"SpyTech SpyAgent monitoring software. "Spy software that allows you to monitor EVERYTHING users do on your PC.""
U	1Win32Cfg	SpyBuddy.exe	"SpyBuddy keystroke logger/monitoring program - remove unless you installed it yourself!"
U	1Win32Cfg	Keyloggerpro.exe	"Keyloggerpro keystroke logger/monitoring program - remove unless you installed it yourself!"
X	1WinCfg32	WebMailSpy.exe	"WebMailSpy spyware"
X	2020Downloader	mssvr.exe	"2020Search Toolbar"
X	252	winmgr.exe	"Added by the LEGMIR-AT TROJAN!"

DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.